Information Security Management

Cybersecurity Maturity

To effectively manage the adjustments and enhancements made to the cybersecurity strategy and cybersecurity defense system of each subsidiary, ASEH began implementing the NIST CSF maturity assessment mechanism in partnership with third-party consultants in 2019. The overall maturity level in cybersecurity was assessed based on five key indicators: Identify, Protect, Detect, Respond, and Recover. We have been gradually shifting our focus to refining and deepening our cybersecurity requirements. Each factory site can undertake individualized cybersecurity enhancements based on their own maturity assessment results and recommendations for improvement. We benchmark ourselves against the semiconductor industry and vow to understand our own cyber environment better. We assess the risks that impact each subsidiary in different cybersecurity areas, countries, or operations and consolidate resources to provide better guidance and support. Our goal is to implement and continuously improve the foundational cybersecurity management across businesses. In 2024, we proceeded with the last year’s maturity assessment mechanism and continued to collect data on individual subsidiary’s current cybersecurity management and control as well as cybersecurity frameworks and policies regarding NIST CSF’s five assessment dimensions. In addition, driven by the digital transformation, the convergence between IT and OT is becoming increasingly close. In particular, the scope of horizontal implementation is extending from IT to OT with the goal of aligning the cybersecurity maturity of OT closer to that of IT. This approach is adopted to gradually enhance the cybersecurity defense capabilities of critical operational systems within the company. In 2024, we engaged PwC Taiwan to continue the maturity assessment process. Using consistent vertical quantitative metrics, the assessment covered areas such as policy maturity, control maturity, management maturity, audit maturity, and supply chain maturity. The results provided concrete insights to progressively strengthen the cybersecurity defense capabilities of the company’s critical operational systems.

Cybersecurity Risk Identification and Management

We engage third-party audit firms annually to conduct information security audits, system vulnerability scans, and penetration testing to ensure that its information systems and network environments comply with security implementation standards. These efforts help enforce information security policies and customer privacy protection measures, effectively preventing the leakage of trade secrets and customer data. Tools used include Nessus for vulnerability scanning, BitSight for security ratings, the SecurityScorecard platform for analysis, and Red Team Assessments to evaluate system defense capabilities and incident response maturity. Additionally, the company provides monthly BitSight security rating reports to all sites for reference and continuous risk management improvement.

As we enter the era of digital transformation, we are not only continuing to strengthen cybersecurity measures, but also extending our expertise to the Operational Technology (OT) domain. Since 2022, we launched an OT cybersecurity assessment program, engaging external experts to identify and test potential risks in OT systems. In 2024, a total of seven sites completed the OT assessments, progressively building a cross-domain integrated cybersecurity defense framework.

In addition to external audits, ASEH also conducts regular internal self-assessments of its Information Security Management System (ISMS) based on the NIST Cybersecurity Framework (CSF) and ISO 27001. These assessments evaluate the effectiveness of risk management, control measures, and incident response processes, and the results are reported to senior management and the Board of Directors. In the event of an unexpected cyberattack, the Information Security Management Task Force promptly convenes technical response meetings to analyze and review defense strategies, building a synchronized and comprehensive security network to respond to threats in real time.

In addition to managing operational risks from the perspective of corporate governance, we try to increase employees’ cybersecurity awareness and enhance organizational operational capabilities as part of our focuses in cybersecurity management. All employees at ASEH must receive PIP cybersecurity educational training, including cybersecurity policy, cybersecurity management framework, cybersecurity control measures, etc. In 2024, a total of 147,289 individuals completed 89,371 hours of training courses. Additionally, occasional social engineering email drills were conducted to enhance employees' awareness of social engineering attacks through emails. Additionally, we will gradually introduce systematic management mechanisms to incorporate participation in cybersecurity meeting, educational training, incident management, confidential file labeling, antivirus/software security, and other cybersecurity-related projects in a systematic manner. Moreover, KPI monitoring and audits are conducted, extending the scope of management, and reaching every employee and every endpoint device. This will be integrated with employees’ performance to reduce penalties and legal liabilities resulted from violations against cybersecurity regulations, as well as the impacts on business operations.

Increasing Cyber Resilience

In 2024, no major information security incidents occurred at the company. To strengthen our cybersecurity response and protection capabilities, the company established a well-defined set of "IT Security Incident Reporting and Emergency Response Procedures". The procedure serves as a unified employee guideline that outlines detailed specifications, including incident classification, response team structure, severity level determination, reporting and handling procedures, incident monitoring and closure, follow-up investigations, corrective actions, and evidence collection. Cybersecurity incident drills are also conducted regularly to enhance employees' awareness and improve response efficiency.

The ASEH Information Security Management System further integrates cyber threat intelligence sharing and incident reporting, two core functions that enable real-time monitoring of internal and external threats, ensure timely reporting and resolution of incidents, and significantly enhance overall risk visibility and collaborative defense capabilities. With the increase in cybersecurity threats and the risks they pose to business operations, we have adopted a risk-based approach by securing cyber insurance coverage for the company. This added layer of protection allows us to respond swiftly to incidences and contain the impact of any cyberattacks, minimizing potential losses to the company operations, customers, supply chain partners and facilitating rapid business recovery.

To ensure the sustainable operations of important businesses and prevent interruption of critical information systems as a result of material cybersecurity incidents, we conduct an incident recovery drill every six months which lays out the organizational structure diagram, scope, duration, critical information systems, participating units, participating personnel and their assigned tasks, backup personnel for the drill, implementation steps and processes of the drill, required resources, data recovery from backup, risk management during the drill, post-drill review and improvement processes, among others. The purpose is to ensure the company can leverage disaster response capabilities and disaster recovery mechanisms to quickly restore operations to a normal or acceptable level for the business, achieving the goal of uninterrupted operations of critical information systems. The drill will continue to be implemented to provide maintenance, management, and training to ensure the effectiveness of the backup systems.

Information Security Information Exchange

ASEH works closely with government agencies, local and international information security organizations including FIRST, Taiwan Computer Emergency Response Team/Coordination Center (TWCERT/CC), and High-tech Information Security Alliance. As a member of the SEMI Semiconductor Cybersecurity Committee, we are actively driving the industry’s adoption of SEMI E187 – Specification for Cybersecurity of Fab Equipment, a Taiwan-initiated security standard. Adopting the relevant infosec regulations, standards and industry intelligence allow us to integrate our internal management systems and expertise, to develop a comprehensive set of capabilities that will further strengthen our resilience.

At the same time, we are committed to meeting the expectations from our upstream and downstream supply chains and stakeholders on matters related to information security. ASEH’s strong and robust security defense leads to a tightly-secured smart manufacturing environment and increases the company’s competitive advantage as a sustainable enterprise.

Supply Chain Cybersecurity Management

As a result of the digitization of the supply chain and the exchange of large volumes of data, the supply chain is faced with unprecedented cybersecurity risks. To effectively improve cybersecurity resilience across the supply chain, starting from 2022, ASEH has established the Supplier Cybersecurity Assessment and Execution System, which primarily focuses on critical suppliers. A total of 96 supplier cybersecurity assessments were conducted in 2024, following a four-step process consisting of current situation assessment, guidance for improvement, results confirmation, and cyclic survey. The scope of assessments will be gradually expanded and a cyclic regular survey conducted every three years to construct a comprehensive cybersecurity management mechanism, ensure stable business operations, increase cybersecurity resilience, and further improve the overall cybersecurity environment and level in the semiconductor industry.